According to a newly released report from Forrester Research, CISOs will likely be forced to step out of a few of their comfort zones in 2026. This analysis, the 2026 Predictions Report for Cybersecurity, reflects the convergence of three forces rapidly reshaping the CISO's role: geopolitical instability, the proliferation of agentic AI, and accelerating regulatory mandates.
And, as Forrester predicts, 2026 will bring CISOs and security professionals potential AI breaches, tight infrastructure regulation, a new European Union vulnerability database, quantum security growth, and merger and acquisition shifts.
"2025 was a tumultuous year for cybersecurity professionals. A change in political leadership in the US introduced instability within federal cybersecurity agencies and had a worldwide ripple effect; the focus on AI technology shifted from generative AI (genAI) to agent and agentic AI for productivity, cybersecurity, and malicious actors; and the variety of cyberattacks targeting critical infrastructure markets as well as average businesses, reaching all four corners of the globe, kept security and risk teams on their toes," Paddy Harrington, senior analyst at Forrester said.
"In 2026, continued political instability coupled with technological advancements being used by cybercriminals will force security, risk, and privacy leaders to not just adapt their defensive technologies to respond but also to prepare their workforce for these shifts to reduce the risk to the business," Harrington added.
For 2026, Forrester predicts:
Agentic AI Will Cause High-Profile Public Breaches: The most immediate threat CISOs face is the maturation of agentic AI workflows without adequate security controls. Forrester predicts that agentic AI deployments will lead to public breaches and result in employee scapegoating by 2026. The critical insight: these breaches stem from cascading failures, not individual mistakes.
Forrester advises CISOs to proactively establish guardrails during the development of agentic AI applications, emphasizing the need to secure intent, implement identity and access management controls to track agent activity, and deploy data security controls to ensure data provenance tracking, all in accordance with the research firm's AEGIS framework.
The stakes are high—poorly secured autonomous systems will exacerbate accuracy-speed tradeoffs, directly exposing customer data.
Government Control of Telecom Infrastructure Will Become the New Normal: The Salt Typhoon cyberespionage campaign's breach of over 600 organizations across 80 countries fundamentally shifted government perspectives on critical infrastructure. Five governments are expected to nationalize or impose strict restrictions on telecom infrastructure in 2026. Australia, Italy, and the US have already begun taking action—Australia strengthened its SOCI (Security of Critical Infrastructure) Act oversight, Italy launched a €22 billion network restructuring plan with plans for encrypted satellite communications, and the US banned Chinese and Russian ownership of subsea cables. Forrester said the CISO implication will be profound as critical ecosystem risks will escalate due to vast, insecure IoT ecosystems and emerging LEO (Low Earth Orbit) satellite attack surfaces. CISOs must implement continuous control monitoring rather than relying solely on periodic assessments.
The EU Will Establish Its Own Known Exploited Vulnerability Database: Following "MITRE-geddon" in April 2025, the EU is moving toward vulnerability sovereignty. With proposed US CISA funding cuts exceeding $400 million and reductions of one-third of its workforce, the EU Vulnerability Database (EUVD) will establish its own KEV (Known Exploited Vulnerability) catalog, which outpaces CISA's capabilities. This fragmentation matters because most CISOs currently source KEV data through vendors.
Forrester advises CISOs to immediately ask their vulnerability management vendors how they flag KEVs from multiple sources and explore additional commercial vulnerability intelligence feeds to avoid dependency on any single source.
Quantum Security Spending Will Jump to 5% of Security Budgets: Commercial quantum computers are estimated to break today's asymmetric cryptography within less than 10 years. NIST's timeline is unforgiving: RSA and ECC support deprecation is scheduled for 2030, with disallowance in 2035. This is no longer a banking or critical infrastructure issue—all CISOs must plan quantum migration across four dimensions: consulting services for quantum security roadmaps, developer partnerships to replace outdated cryptographic libraries, vendor risk tracking for quantum migration plans, and cryptographic discovery and inventory tools. This represents a fundamental shift in how organizations value and budget for cryptographic agility.
Vendor Consolidation Will Create Service Risks: The acquisition of struggling cybersecurity firms by aging IT services vendors will create operational instability. These "optics-driven repositioning plays" will fail due to legacy infrastructure incompatibility with AI-ready security architecture, talent attrition, and misaligned platform strategies. CISOs relying on such merged entities should immediately negotiate service discounts while planning transitions to cloud-native, AI-driven platform providers.
"Security professionals want consolidation, or at least tools that are easier to integrate, easy to use, and that can get that single pane of glass," Melinda Marks, practice director, cybersecurity, at Omdia, said.
The 2026 predictions reveal three overarching themes for CISO cybersecurity strategy. First, regulatory fragmentation is likely to remain a persistent issue. The shift toward EU vulnerability sovereignty, combined with government takeover of critical telecom infrastructure, means CISOs can no longer optimize for a single compliance framework. Multi-region vulnerability intelligence sourcing and continuous ecosystem monitoring are now operational necessities.
Also, long-term cryptographic planning can't be delayed. The quantum timeline is fixed and accelerating. Beginning cryptographic inventory and agility assessments in 2026 is no longer optional—it directly impacts system longevity beyond 2035.
Finally, AI security governance must be embedded. Agentic AI breaches are inevitable without proper governance and oversight. CISOs cannot delegate AI security to application development teams—they must actively participate in establishing minimum viable security during application design, with a particular focus on identity controls and data provenance. "As you start moving into bringing innovation and technology into the mix, such as AI — and especially when you start moving to agentic AI — you need to have a nimble architecture. You must help provide the right guardrails so that people can move forward as quickly as possible," said Tim Crawford, CIO strategic advisor at AVOA.
